Microsoft Purview: Insider Risk Management- IRM alerts in XDR

Originally posted by Microsoft Apr 12, 2026 Uncategorized 0 Comments

With this feature, IRM alerts and other supporting data will be available in the following Microsoft Defender XDR experiences:

1. IRM alerts will be surfaced in unified alert and Incident queue in Microsoft Defender XDR.
2. IRM alerts, Indicators and enriched events will be available in Microsoft Defender XDR advanced hunting. Analysts can leverage KQL queries to identify potentially hidden risky patterns in data security related user activity.
3. IRM alert, Indicators and enriched events will be exposed through Graph API.

This feature can be enabled through “Share data with Microsoft Defender XDR” within Microsoft Insider Risk Management settings

IRM data in Microsoft Defender XDR does not honor anonymization. This is to enable effective correlation of IRM alerts with alerts from other solutions in Microsoft Defender XDR platform (such as Defender for Endpoint, Defender for Cloud apps, etc.).

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Product
Release phase General Availability
Release date June CY2026
Platform Web
Cloud Instance GCC, GCC High, DoD
Created 2026-04-09 23:15:51Z
Roadmap ID 560075
Roadmap Link https://www.microsoft.com/microsoft-365/roadmap?id=560075

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

Trending Posts

%d bloggers like this: